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ABSTRACT 


This paper proposes a unified framework for defining opacity properties in both discrete and real-time 
systems. The framework leverages language inclusion problems to establish a common ground for expressing 
and comparing various opacity concepts under different observation categories. We build upon existing 
formalisms for opacity in Labeled Transition Systems (LTS) and Timed Transition Systems (TTS). We explain 
the connection between these automata models and how they are used to represent system behavior. Our 
framework allows for the unification of opacity definitions across these models, enabling easier comparison 
and analysis. Additionally, we present transformations between different opacity concepts and compile 
decidability results for the unified framework. Finally, we illustrate the relationships between key opacity 


studies through a dependency diagram. 
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1. INTRODUCTION 


Ensuring confidentiality in complex systems is 
crucial, especially when dealing with sensitive 
information. Traditional security models like non- 
interference might not always suffice. This paper 
delves into a powerful security property called 
opacity. This property guarantees a system's ability to 
hide a specific subset of its behavior, even if the 
general operation is visible to an external observer 
(often referred to as an attacker). This means the 
attacker cannot definitively determine if the system is 
in a secret state or performing a secret action, even by 
observing its public behavior. 


Research on opacity has been steadily growing, 
with applications in diverse areas like cryptography 
and Discrete Event Systems (DES). Different studies 
utilize various system models (e.g., Petri nets [4], 
Labeled Transition Systems [6, 35], Automata [7, 22, 
23], recursive tile [23] and pushdown systems [8]) 
and observation scenarios. This can make it 
challenging to compare and analyze opacity 
properties across these diverse contexts. In a system's 
LTS model, predicates act as spotlights, highlighting 
specific subsets of states or events. LTS, unlike Finite 
State Automata (FSA), aren't limited to a finite 
number of states or transitions in [27, 30, 34]. Then, 
the property of opacity is introduced in a real-time 
system modeled by Timed Transition System (TTS). 
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The author in [21], proposes the timed opacity for 
real-time system modeled by timed automata (TA). 


This paper proposes a unified framework for 
formalizing opacity properties. This framework 
allows us to analyze and compare opacity across 
different system models and observation settings. 
Here's what you can expect: 


e We explore various observation categories 
through clear examples. 


e We unify the definitions of opacity properties 
within our framework. 


e We establish mathematical connections between 
existing opacity formalisms. 


e We compile existing results on the decidability of 
these unified opacity concepts. 


e We present a dependency diagram visualizing the 
relationships among key studies on opacity. 


This unified framework paves the way for a more 
comprehensive understanding of opacity. It allows 
researchers to compare different opacity properties, 
fostering advancements in the field. The framework 
also lays the groundwork for potential future research 
on verification methods and decidability of opacity 
properties under various conditions. 


By the end of this paper, you will have a deeper 
understanding of: 


e The concept of opacity and its importance in 
system security. 


e How aunified framework simplifies the analysis 
of opacity across diverse systems. 


e The existing body of research on opacity and its 
connection to our proposed framework. 


The paper is structured as follows. Section 2 
introduces the background concepts of transition 
systems and languages, including Labeled Transition 
Systems (LTS) and Timed Transition Systems (TTS). 
Section 3 delves into Timed Automata, the standard 
modeling formalism for real-time systems. Section 4 
explores the concept of observation functions, 
covering static, dynamic, and Orwellian projections. 
Section 5 presents established opacity properties for 
discrete systems with static projections. In this 
section, we propose a unified framework for 
formalizing opacity properties. Section 6 explores the 
transformation between different opacity notions. 
Sections 7 and 8 examine opacity with dynamic and 
Orwellian projections, respectively. Section 9 
extends opacity to timed systems with static 
projections using the proposed framework. Section 
10 discusses verification and decidability of opacity 
properties. Section 11 provides a comparative 


overview of existing opacity definitions and our 
proposed framework. Finally, Section 12 concludes 
the paper by summarizing the contributions of the 
unified framework and outlining potential avenues 
for future research. 


2. TRANSITION AND 


LANGUAGES 


Transition systems can be used to simulate 
software and hardware systems, with states 
representing various configurations and actions 
causing transitions between them, in [35]. One way 
to represent this is by using a graph, where the states 
are represented as vertices and the actions are 
represented as labeled edges. State labeling enhances 
the available information regarding the values of 
variables. The paradigm used for discrete systems is 
referred to as a Labeled Transition System, whereas 
for real-time systems it is called a Timed Transition 
System. 


2.1. Labeled Transition Systems (LTS) and 
Discrete Languages 


SYSTEMS 


LTSs are essentially infinite, directed graphs with 
labeled edges, in [12]. Nodes represent the system's 
states, and edges depict transitions between them 
triggered by specific actions. 


Definition 1: The Labeled Transition System is 
a quadruple LG = (Q, Qo, Z, >) where: Q is a finite 
set of states, È is a finite set of actions, Qo © Q is the 
set of initial state, —& (Q XxX* xX Q) is the 
transition relation. 


Note: N is the set of natural numbers. 
Q, Q}, Q* is respectively the set of rational, 
nonnegative rational and positive rational. X is the set 
of clocks i.e., the set of conjunctions of constraints of 
the form x ~ c and C(X) be the set of convex 
constraints on X, in the form @::= x-y ~ 
c|x ~ c| 6 Ag with ~E {<, <, =, >, >} and x,y 
E€ Q,. A clock valuation is a mapping v: X — Q4. 
(u +d)(x) = v(x) +d where dE Q, . v[xX'’ > 
0] = 0 if xe X’, otherwise v[X’ — 0] = v(x), V 
X’c X. 


A path ® = qo,qj,--q;-- is an infinite 
sequence of states. ® [i] is the ith element of Pand 
[i] = dodge > ® [ij] = di dis; 
where qo E Qo and Vi20,q; E Q. Path(LG,qi) is the 
set of all paths executed by a LTS started by the set 
of state qi and Path(LG) = Path(LG,qo) when qo is 
the initial states of LG. We note that the set of path 
is infinite and uncountable set. 


An execution w = exec(®) = ao,a4,..a;.. is 
an infinite sequence of actions. The LTS can accept 
the empty string, denoted by £. w, is a prefix of w, 
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denoted by w, 3 Wz, if I w3 such that w,.w3 = w3 
and w3 = w, —W,. |w] returns the length of the 
discrete word w where w, w,,W2,W3 E =". 


A discrete language Lang is an infinite set of 
executions. Lang (LG, qi qj) = {exec([i, j]), 
[i,j] E PatA(LG)} is the set of executions stared 
by qi and ended by qj Extended: 
Lang(LG, Qi, Q;) = Ugiegia qj€Qj Lang(LG, qi,q;). 
Lang (LG, q;) = {exec(®[i,..]), @[i..] € Pat (LG)} is 
the set of executions started by qi. Extended: 
Lang (LG, Q;) = Ug,eq; Lang (LG, qi). 

Lang(LG) = Lang(LG,Qo) is the set of 
executions started by initial states. 


A bounded discrete language Langg, is a finite 
set of executions, where K €E N is a constant value. 
Lang, (LG,q;) = {w,4w' E Lang (LG, q;) such 
that w' x w,|w’—w|< K } is the set of 
executions stated by q; and the length of each 
execution is less than or equal to K. 
Langg (LG, Qi) = Ugieq; Langg (LG, qi) 
Langx(LG, qi qj) = {w,3 w' € 
Lang (LG, qi, qj) such that w, < w, |w, — w| < K}. 


Extended: 
Langx(LG, Qi, Qj) = Uqgiegin qj€Qy Langx(LG,qiqj) . 
Lang.(LG, qi, q;) = {w, aw’ E 
Lang (LG, qi, qj) such that w' < w} 
Extended: 
Lang.(LG, Qi Qj) = Ugieaia qj€Q; Lang.(LG, qi Gj). 
The language can be described by a regular 
expression. The regular expressions are all strings 
over the alphabet 2 U {(,),@,U,*,¢} . Formally, 
Lang) = 9; 


Lang(a) = {a}; 

Lang ((w,,W2)) = Lang(w,)Lang (w3); 
Lang((w, U w2)) = Lang(w,) U Lang (w3); 
Lang(w*) = Lang(w)* 

Where a, w1, W2 and w“are regular expression. 


Time is a critical component in a system. The 
researchers introduce the concept of time into 
classical transition systems by assuming that all 
discrete transitions occur instantly, whereas real-time 
restrictions limit the possible times at which these 
transitions might take place. In their work, the 
authors in [37] present the concept of TTSs and 
provide the precise definition of a real-time system as 
a collection of timed execution sequences. The TTS 
is a Long-Term Support (LTS) system that 
encompasses two types of labels: discrete and 
continuous activities of real-time systems. 


2.2. Timed Transition Systems (TTS) and timed 

languages 

Timed Transition Systems (TTS) are 
characterized by a framework that allows for the 
association of time with a transition relationship [37]. 
In a TTS, there are two types of transitions: 
continuous transitions, which depict the passage of 
time or a gradual change, and discrete transitions, 
which represent the progression after a specific action 
or event. 


Definition 2: The Timed Transition System is a 
quadruple G = (Q,Q,,2,—) where: Q is a finite 
set of states, Qo C Q is the set of initial state, Lisa 
finite set of actions, >S (Q x (© U Q,) x Q) is the 
transition relation. 


e 
The relation > is defined by q >q’, where 
q,q'EQ and e is a transition between them, 
(q,e,q') E>. There are two kinds of transition 
relation > : continuous transition relation (or delay 
ih : deQy ; Ja 
transition relation) —— and discrete transition 


EX 
relation >, The properties of TTS are Null delay 


property or 0-delay if q 5 q’ then q = q'; Time 
additivity property if q 2 q' and qq" then q 
aiu q” with %7 E Q4; Time continuity property if 
q 4 q'then Vy," 7’ E Qysuch that y= y + y’ and 
Hq” € Q such that q' 4 q” and q” 5 q'; Time 
determinism property if q = q' and q 4 q” then 
q =q". 

We extend by u =< v and |u| where w,v €E 


(2 x Q,)*. Path is the set of transition-run y that is 
a sequence of states. 


A transition-run y=ep, é;,..¢; .. is an infinite 


sequence of transitions. For simplicity reason, it is 
a 


denoted by y = qo 2 qı- qi 5.. 
. Cita 

Y, V Sw if v= Y¥, qir. and Y= qo 

£0 ej š 

> qı = qi Gar, Vi 20. 


TPath(G) is the set of all path executed by G. 
A run fg of a transition-run y is a possibly infinite 


sequence of alternating delay and discrete transition 
: do , M d , & 

relations PoW) = Fo? qo >° q > q1 >q 

where d; corresponds to the duration between q; and 


y, is a prefix of 


qi+1- 


An execution pç is a possibly infinite execution 
(ao,do) (a1,d1) (aidi) 
PGW) = qo — 1 > Q + qiza 
A trace tr(p¢(W)) of an execution p¢(p) is a 
possibly infinite sequence of alternating time and 
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nee a tr (pe (W)) = Fo? 1h (Q, {qo}, £, >) where Q is the set of states Q € 
44,7 aii r iaie 

15 q2 +> Gi41 + where y,=dy) and y= (LX Q,!*!); {qo} is the initial state; >€ (Q x (ZU 


Eizo dj that is the executing time at the state q; that 
is the sum of all the previous durations in the path. 


A timed word u of a given trace tr(p¢(W)) is 
u = tw(tr(pg())) = (ao %) (a1,%) 
gix (a,, ty) .. The set of generated timed words is 
represented by the timed language denoted by 


(G) = {u = (a0, %) (a;,7,) ws CHA) wus 
tw(tr(pe())), Y E TPath(G)}. 


The finite timed language is the set of the finite 
timed words TL’ = {uu = 
(ao, %) (a, 7) sa (an, A} . TL” contains the 
infinite and finite timed words where TL”= TL” U 
TL’. 


Typically, TTS systems are employed to provide 
the meaning and description of a model. Timed 
Automata (TA) are a type of models that are more 
appropriate for the purposes of modeling, 
verification, and control. 


3. TIMED AUTOMATA AND TIMED 
LANGUAGE 


This section presents the standard modeling 
formalism for real-time systems, known as Timed 
Automata, along with its several subclasses. Timed 
automata, as described in references [5], are automata 
that have a finite control and a finite set of clocks. 
They are used to represent real-time systems that 
operate in continuous time. 


Definition 3: [5] A Timed Automaton (TA) A is 
a tuple A = (L, lo, X, £, 1, T) where L is a finite set of 
locations; lọ E L is the initial location; X is a finite 
set of clocks such that n = |X|; X is a finite set of 
actions; I € C(X)* is an application that associates 
an invariant to each location; T is a finite set of 
transitions TG LX C(X)xXEXxX2*XxXL. In an 
edge e = (l,g,a,7r,ly) E T, g is the guard, a is the 
action and r is the reset set. 


Definition 4: A Timed Automaton with final 
states A; isa tuple Ay = (A, F) where A is the TA as 
defined in Definition 3 and FE L isa finite set of final 
locations. 


The semantics ofa TA A is determined by a timed 
transition system that is labeled with transitions. The 
delay transition signifies the passage of time, while 
discrete transitions indicate the changeover to the 
next attainable state in A. 


Q,) X Q) is the transition relation. 
There are two kinds of transition relation >in TA: 


Delay transition relation if (l, v) a (l',v’) then | = 
Ujv'=v+t and I(l')(v') =True ; Discrete 
transition relation if (l,v) 4 (l',v') then g(v) = 
True; v' =v[r > 0] and I(l')(v') = True where 
e = (l,g,a,r, lọ) E T satisfying the guard g by the 
clock valuation obtained from adding the delay to the 
current valuation. 


Let Ay be a timed automaton with final locations, 
a path in A; is started by the initial location lọand 
ended by a final location l, € F. This path contains a 
sequence of transition that is called transition-run 
Wp =b byw 25 lp. last (Pp) = lp returns the 
last location of pp. 


For a finite transition-run Yp, an execution 


(aodo) (ap-1:dp-1) 
automaton pg (Wp) =l 2 L. PoP Ly, 
(aoyo) (ap-1:Yp-1) 


trace tr(p¢(Wp)) = lo > L ——> lp, a 
timed word u= 


tw(tr (Pe (Wp))) = (ao; 7) (ax 7) ~ (ap-1 %1) 
an accepted timed language of Ap is TL(Ar) = 
{u,u = tw(tr(p¢(Wp))), Pp E TPath(A;, F)} . 


TL(4p,1) = {u u = tw(tr(pe bp), Pp € 
TPath(A,;, F) and last(w,) = l} is an accepted 
timed language of Ay where the final location is L. By 
extension, TL (A,, SL) =U esL TL(Ay, l) is the timed 
language ended by a subset of locations SL © L. 


4. THE OBSERVATION FUNCTIONS 


The purpose of opacity is to ascertain whether the 
concealed actions of a particular system are 
effectively hidden from external observers. A 
predicate represents the subset of the system 
behavior. The outsiders are shown as passive 
observers of the system's actions and are referred to 
as intruders. More specifically, the outsider is 
presumed to possess a comprehensive understanding 
of the system's architecture and limited observations 
of the system's functioning. Partial observation 
typically involves the observation of an execution 
when an external observer is unable to perceive a 
subset of events. Hence, the set of events ÈX is 
partitioned into an observable set X, and an 
unobservable set %,,. The visible behavior by an 
observer is defined by its projection that removes 
from a sequences w all events that are not in X,. 
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Opacity qualifies a given predicate pe 
Lang (LG) with respect to an observation function 
Obs modeling user capabilities for observing the 
system. Formally, Obs: x* > X,*, Vw E &*, Obs(w) € 
XZ is an observation function. For two executions 
w,w’ E Lang(LG) € x’, w and w are 
observationally equivalent w.r.t. Obs if Obs(w) = 
Obs(w'). Thus, we define some categories of 
projection in literature in the next section. 


4.1. Static projection 


Static observation (projection) is the most used 
observation in the model system, also called simple 
projection. Static observation is defined when the 
same occurrence is always interpreted in the same 
way by an observer. The interface between an 
observer and a system is identified by a set of events 
X Sx, with X — Ło =z, where x, is the set of 
unobservable events and X, is the set of observable 
events. Thus, the static projection is defined for the 
discrete sequence w = a403 ..... An, denoted by Pz,- 
Formally, P;,:Z* > X” is defined as follows: 


Ps, (e) = z; 
[re a) = P;,(w) if a € 2u o) 
Pz,(w.a) = Ps,(w).a otherwise 


where w E X*,a € Land € is the empty string. 


[w]s, represents the set of all execution having 
the same projection as w. [32] expressed this 
projection in another form. 


Definition 6: [32] According to observation 
function Obs: X* > Y,* the static projection is a 
mapping Obs':X > ZU {e} such that Vwe= 
aaz ..... An E X*, Obs(w) = Obs'(a,)Obs' (az) ... 


Obs' (an). 


Example 1: Let LG be a labeled transition system 
as shown in Figure 1 with Q = qo, qi, qz q3, 
da, qs, qe} set of states, £, = {a, b} is observable 
events and £}, = {c} is unobservable events. 


The static projection of the wordu = ccabbc is 
defined by Pz, (u) = abb. Using the definition by 
[32], the static projection ofu = ccabbc is Obs(u) = 
Obs'(c)Obs'(c)Obs' (a)Obs' (b)Obs'(b)Obs' (c) = 
ccabbe (where Obs’ (c) = £, Obs'(a)=a and 
Obs'(b) = b). 


In the same way Py, (v) =abb where v = 


abcb. The static projection of the word v = abcb is 
Obs(v) = Obs'(a)Obs'(b)Obs'(c)Obs'(b) = abeb 
(where Obs’ (c) = £, Obs'(a) = a and Obs'(b) = b). 


start Co = a) e O) 


b € 


Figure 1: Example of automaton 


4.2. Dynamic projection 


Dynamic observation, in contrast, involves the 
study of how a system evolves and changes over 
time. It considers the interactions, processes, and 
behaviors that unfold within the system. This 
approach provides a more holistic understanding by 
capturing the system's temporal aspects, making it 
particularly valuable for analyzing systems with fluid 
and evolving characteristics. 


A filter is employed in dynamic projection to 
impede the transmission of information between the 
system and the attacker. This approach is introduced 
in [10, 25] when the projection dynamically modifies 
the observability of events, and the attackers cannot 
infer secret information from observations. Dynamic 
observation is based on the prefix and an observer 
that can deduce the knowledgement using the 
previous events to interpret the current i.e. the set of 
observable events change over time conforming to a 
dynamic mask. The observer can update after each 
observation the set of events that he can observe. The 
interface between an observer and a system is 
identified by a dynamic observability that is a 
mapping Tp:Z* > 2? . Formally, the dynamic 
projection denoted by Tp is the mapping DPy,: Z* > 
X*is defined as follows: 

DPr, (€) = & 
| DPr„(w.a) = DPr,(w).a 
DPy,,(w.a) = DPr (w) 


if a€ Tpy(DPr,(w)) (2) 
otherwise 


Dynamic functions are akin to an observer with 
unlimited memory capacity to retain labels. 
However, they can only rely on knowledge of past 
labels to understand the present label and cannot 
subsequently reinterpret it. The dynamic projection 
can be expressed in another form by [32]. 


Definition 7: [32] According to observation 
function : Z* > 2,*, £o S X. The dynamic projection 
is a mapping Obs’: x X* > X, U {e} such that 
Vw = 103 ..... An ED", Obs(w) = 
Obs’ (a, £) Obs' (az, a) . ODS' (An, Ay.» An—1) 
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Example 2: We recall the LTS system LG of 
Example 1 in Figure 1. The dynamic observability is 
defined as follows: 


cE T,(DP,, (ccab)) b € T,( DP; (eca)) 


DPyp(ccabe) DPr p(ccab)c Prp(cca).be 


b € T,(DP;, (cca) 


a€ Ty(DP;,(cc)) 


a€ Ty(DPy,(ce)) 


Prp(cca).c DPrplec)-ac 


a€ T,(DP;,{cc)) 


DP; | 


ai 
c € Tpl DP (ec ec E Tol DP lE 
DP. ox DIDP (©) ( så p( DP, (e)) 


a € T,(DP;,(cc)) 


if To(w) E c*a 
otherwise (w E X*) 


t (w) = {a} 


Tp(w) = {a,b,c} A 


c € T,(DP;,(e)) €€Ty(DP;,(e)) 


DPr p(cc).abe DPrp(c).cabe sabe 


[| 


abe 
© € Tp(DPy,(e)) 
DPrp(c) ‘abe abe 


E 


I 


Tol DP;,(c)) 


DPrp{ ech be 


c € Ty ( DP, (e)) 


DPrp(c).che 


J 


-be 
be 


7 


© € To(DPr,(e)) 
DPrp(c).be 


© € Ty(DP,, (e)) c € T,(DP;,(e)) 


DPrp(c).cac cac 


-ac 


M 
j 


| 


© € To( DPy,(e)) 
DP p(c).ac = 


c € T(DP,, (e)) c € Tpl DFi (e)) 
c 


DPr p(ec).c DPrp(c).ce 


| 


çE To(DPry(e)) 


DPrp(c).e 


m 


| 


© € Ty(DP;, (c)) © € Ty (DF, (e)) 
on 


DPrplec).ab: DPrp(c).ca ‘ab 


| 


cab 
TolDPrale)) 
ce 


m 


r 


“ai 


ab 


DPrp(c).a 


© € Ty DP, (e)) 


DPrp(c).c sab 


DPrp(cc).b 


rh 


cab 
a € To(DPr,(ce)) 
DPro(c\d 


m 


| 


b 
© € Ty(DP;,(e)) 


DPrp(c).ca 


© € Ty(DF;,(c)) 


p 
R g 


€ To(DPrale)) 


m 


| 


DPrp(c).a 


Lk 


| 


c € To( DPr,(e)) 
DPrn(c) = 


f! 


Figure 2: Details Of Dynamic Projection 


According to the Figure 2, the dynamic projection 
ofu = ccabc is DPr, (u) = DPy,(ccabc) = cca. 
In the same way, (ccabc) = Obs’ (c, €) Obs'(c,c) 
Obs' (a, cc) Obs'(b, cca) Obs'(c, ccab) = 
C.C.Q.€.€ = CCA. 


Initially, all events are perceivable. However, 
when event a takes place, it obscures all occurrences 
of events b or c, allowing just the observation of a. 
Once a has been spotted, the mask reveals its 
concealment by allowing a,b, and c to be visible 
once more. 


Consider X, © X, if DPr, is a dynamic projection 
where this projection defines a constant mapping 
making events in X, observable, then we extend the 
dynamic projection as DP;, = DPz,. For this, we 
present the dynamic mask encoding a dynamic 
projection using automata. 


Definition 8: A mask is a complete and 
deterministic labeled automaton LGy = 
(Qu, Quo, T, T) for a LTS LG where Quis the set 
of states, Quo is the initial states qọ E Qmo, È is the 
set of events, T: Qu > 2” is a labeling function that 
specifies the set of events that the mask keeps 
observable at state q. T: Q X X* > Q is the transition 
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function. The transition started by q, ended by state 
q and execute the action a, is denoted by T (q,a) = 
q’ correspond to the transition relation (q, a, q") € > 
in LG = (Q, Qo, X, >). The transition function is 
defined as follows: 
Tie) =q 
T(q,w.a) =T(T(@,w), a) 
= Ba a) if a € T(T(q,w)) and T(q,w)) = q' 
T(q,w) if a ¢Tr(T(q,w)) 
Therefore, each dynamic projection DPrpcan be 
associated with a dynamic mask DPy.,. 


(4) 


Example 3: According to Example 1, we 
determine the mask as shown in Figure 3. Let w be 
an execution, the dynamic projection of w = ccabc 
is presented as follows (where V w E Lang(c*a), 
Tp (w) = {a} and Y w E &*, Tp (w) = {a,b,c}: 

e DPr,(w) = DP, (ccabc) = DP;, (ccab).c 
andw = ccab ¢ Lang(c*a) then Tp(w) = 
{a,b,c} and c is an observable action. 

e DPr (w) = DPy,(ccab).c = DP, (cca) and 
w = cca E Lang(c*a) then Tp(w) = {a} and 
b, c are unobservable events. DPr,(w) = 
DP, (cca) = cca. 


e In the same way, DPs,(w) = DPs,(ccabc) = 
DPs,,(ccab) and c € T(T(q, ccab)). 

° DPz,(w) = DPs,(ccab) = DP; (cca) and b € 
I'(T(q, cca)). 

e DPz (w) = DPs, (cca) = DPs,(cc).a = 
DPs,(c).ca=cca, a€ T(T(q,cc)) and c € 
rT (q, c¢)). 


start a) 
Z 


A b,c 
rigo) = {a.c} (qi) = {a} 


Figure 3: A dynamic mask according to Figure 2 


To summarize this part, we define the dynamic 
projection for a LTS LG = (Q, Q» £, —>) and a 
correspond mask LGy = (Qm: Qmo ŁT,T) as 
follows where Qy = {qo}: 

DP; (€) = £; 
[en a) = DP; (w).a 
DP; (w.a) = DP, (w) 


if a ET(T (qo, w)) (5) 


otherwise 


4.3. Orwellian projection 


Orwellian observation is based on the prefix and 
suffix of the trace and an observer that can deduce the 
knowledge to reinterpret events. This projection is 
studied in [5]. The interface between a system and an 


observer is specified by the set of observable events 
ZX, S Zand the subset of downgrading events Xg S 
x. Thus, The Orwellian projection is defined for the 
discrete sequence W =Q,Q2.....an, , denoted by 
Pz „za: Formally, Pz 54:2" > Eo 


Pz, Za (e) = 8; 


Pz yq(w.a) = w.a if a€ ža © 
Pz „za W-4) = Pz „za W).a if a € Xo 
Pz„za(W-a) = Pz, zaw) otherwise 


Orwellian functions pertain to an observer with 
the capacity for unlimited memory to retain labels 
and the ability to employ knowledge of other labels, 
whether acquired before or after, to reinterpret a 
label. The Orwellian projection can be expressed in 
another form by [32]. 


Definition 9: [32] According to observation 
function Obs: £* > 2“, 2 SX and Xy SX. The 
Orwellian projection is a mapping Obs’: X x X* > 
Xo U {e} such that VW = 403 ..... An E 
x*, Obs(w) = 
Obs'(a,, w)Obs' (az, w) ... Obs' (dy, w) 

Example 4: Consider the automaton A shown in 
Figure 2 with X, = {a}, X, = {c} and X4 = {b}. 
Table 1 represents the Orwellian projection of 
executions. 


Table 1: Executions with Orwellian projection 


Events Orwellian Events Orwellian 
(read observation (read part) | observation 
part) 

c E c E 
cc E ca a 
cca a cab cab 
ccac a cabc cab 
ccacb ccacb cabcc cab 
ccacbc ccacb cabccb cabccb 


The Orwellian concept is extended to the m- 
Orwellian category further by incorporating modern 
technologies and methods of mass surveillance. M- 
Orwellian observation involves the use of advanced 
monitoring tools, data analytics, and interconnected 
systems to exert pervasive control. It often raises 
concerns about privacy, data ethics, and the potential 
misuse of technology for surveillance purposes. 


Orwellian observation is defined for a fixed 
number of observation events that are called m- 
Orwellian observation. The number of observable 
events before a downgrading action is less than or 
equal to m. The m-Orwellian projection can be 
defined as follows by [32]. 


Definition 10: [32] According to observation 
function Obs:&* > 2,*, 2, SX, Yq SLX and m E 
N*. 
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The m-Orwellian projection is a mapping 
Obs': X Xx X£* => X, U{e} such tht Yw= 
A, az .....An EX , Obs(w) = Obs' (ay, j1) 
Obs'(az,j2) ...Obs'(an jn) where Vwell1,nll, 
Jp = Amax(1,p—m+1) Amax(1,p—m+1)41 +++ Amin (1,p+m-1) 


4.4. Timed static projection 


Timed static projection can be reflected in 
narratives that focus on pivotal moments in a 
society's history, capturing the static essence of each 
era while acknowledging the temporal transitions 
between them. This approach allows authors to 
explore the nuanced interplay between stability and 
change within complex systems, offering readers a 
richer understanding of the narrative's temporal 
landscape. 


The static projection is expanded into a timed 
sequence on a real-time system. Formally, 
TPs: (2 x Q,)* > (Zo X Q,)* is defined by: 


TPs, ((é,Y)) = (EY); 
TPs, (u. (a, y)) = TPs, (u) ifaexy, (7) 
TPs, (u.(a,y)) = TPs, (u).(a,y) otherwise 


where u E (ZX Q) a EX, y EQ and e is 
the empty string. The notion [w]s, is extended that 
represents the set of all timed executions having the 
same projection as u. 


5. DISCRETE OPACITY WITH 
PROJECTION 


The opacity properties are introduced for the first 
time for the analysis of cryptographic protocols in 
[33, 36]. Next, the opacity is defined in the 
communication network. In [4, 24], opacity has been 
introduced in DES when the system can be modeled 
by Petri nets. In [5], previous work has been 
deepened by studying opacity in more general 
systems and which are labelled LTS. 


STATIC 


The opacity parameters are determined by the 
following conditions: (1) S contains a collection of 
confidential information; (2) the intruder is an 
observer of S who possesses complete understanding 
of the architecture of A. An opaque system is 
characterized by the presence of a non-secret 
behavior that is indistinguishable from a secret 
behavior, hence making it impossible for an outsider 
to discern the secret behavior. Consequently, the 
invader remains uncertain about the occurrence of the 
secret. Building on existing research, [4] delves into 
opacity for DES by FSA with partial transition 
observability. Previous literature, however, categori- 
zes formal LTS opacity definitions into two main 
families. 


5.1. Language Based Opacity 


The concept of LBO was initially introduced in 
[9]. The secret behavior is defined by a language 
called LangS, which is a subset of 2*. Additionally, 
it is known as trace-based opacity. The system is 
opaque w.r.t. LangS and the projection map Py, if 
the intruder should be unable to ascertain if the word 
is in the secret language or not. Yet, in [11], The LBO 
is specified across two sub languages of the system, 
(Lang1,Lang2) © (Lang(LG,Q 0))*?. The term 
"opaque" is used between Lang1 and Lang2 under 
the projection map Ps, , if the intruder has an 
ambiguity between every string in Lang1 with some 
strings in Lang2 under the projection map. Consider 
that Lang = LangS U LangNsS is a language where 
LangS and LangNS are secret and non-secret 
languages. 


Definition 11: The secret language LangS is said 
language-based opaque under Ps, if. Vwe 
LangS,iw'€LangNS_ such that P} (w) = 


Ps, (w’) 


A secret language is considered opaque if every 
string w in the secret language, LangS, has a 
corresponding string w’, having the same projection, 
in LangNS. In other words, we present the following 
Lemma. 


Lemma 1: The secret language LangS is said 
language-based opaque under Py iff: Ps; (LangS) 
S Ps (LangNS) 


Definition 12: The secret language LangS is said 
weakly opaque under Ps, if: for some w € 
LangS,3 w' E LangNS such that Ps (w) = 


Ps, (w’) 


The secret language is considered weakly opaque 
if there is a string w in LangS such that there is 
another string w’ in LangNS that has the same 
projection. We give a more formal notation in 
Lemma 2. 


Lemma 2: The secret languages LangS is said 
weakly opaque under P, iff! Py (LangS)n 
Ps (LangNS) + Ø 


Definition 13: The secret language LangS is said 
no-opaque under Ps if LangS is not weakly opaque 
under Pz,- 


The secret language is no-opaque if for each 
string w in LangS, there not exists a string w’ in 
LangNS with the same projection. In other words, 
we present the following Lemma. 
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Lemma 3: The secret languages LangS is said 
no-opaque under Ps, iff: Psy (Langs) N 
Py, (LangNS) = Ø 


Example 5: We consider the secret language 
LangS = Lang(aba(cba)*) U Lang (ca(bac)*) 
and the non-secret language LangNS = 
Lang (a(bac)*) U Lang (a(bac)*b) U 
Lang (a(bac)* bab) U Lang(ca(bac)*b) U 
Lang (ca(bac)*ba) U Lang(ca(bac)*baa) where 
2o = {a,b} and £, = {c} are the set observable and 
unobservable actions. The intruder is not sure of each 
word that is observationally equivalent to a word in 
secret language or equivalent to a word in non-secret 
language. Therefore, the secret language LangS 
under Ps. is language-based opaque. 


5.2. State Based Opacity 


The state-based approach is associated with the 
covert actions of a single state or a group of states. 
Multiple opacity properties have been established 
based on the type of secret being considered. Let LG 
be a LTS, with £, © È and SCF as secret states 
where F € Q is final states. 


1) Current-State Opacity or CSO: 

CSO is initially presented in [4] for the 
application of Petri Nets. The state property pertains 
to the inclusion of the system's final state inside a 
specific set of undisclosed states. This property was 
adapted to LTS in [2,4, 28, 35]. 


Definition 14: The secret S is said current-state 
opaque under Pz if: Vw € Lang(LG, Qo,S),4 w' € 


Lang (LG, Qo, Q — S); Ps, (w) = Ps, (w’) 


The system is deemed opaque in its current state 
if the intruder, although possessing comprehensive 
knowledge of the system's architecture and making 
partial observations of its behavior, is unaware of the 
true essence of the outcome. Definition 5 presents a 
direct consequence of Lemma 4: 


Lemma 4: The secret S is said current-state 
opaque under Pz, iff: 


Ps, (Lang(LG, Qo, S)) E Pz, (Lang (LG, Qo, Q — S)) 


Example 6: According to Example 1, we built a 
LTS system LG corresponding to the secret and non- 
secret languages as shown in Figure 4, with, 
Q= {do q1 42 93) q 45) 46.47/48, Qo} is the set of 
states, 2, = {a,b} and x, = {c}. If we consider that 
S = {q3}, then S is a CSO because the intruder 
confuses between the word aba and caba. Thus, the 
outsider is not certain if the system is in q3 E S or in 
dg E Q — S. But, if S = {q3,qo}, then S is not a 


CSO. The outsider is certain whether the system is in 
qd when cabaa is executed. 


start © - OLO (a) 
O+-OLOLO-O 


Figure 4: Opacity example 


2) The Initial-State Opacity or ISO 

ISO is defined within Petri Nets models in [4]. Thus, 
this property is an extension of LTS in [7, 22]. ISO 
refers to a state property that pertains to the inclusion 
of the system’s starting state in a collection of 
confidential states. If the intruder is unable to 
conclude if the initial state of the system is a secret or 
not, then the system is opaque in its initial state. 


Definition 15: The secret S is said initial-state 
opaque under Py, if: Vw E€ Lang(LG,S),4w' E 
Lang (LG, Qo — S) such that Pz, (w) = Ps, (w’) 


The system is completely opaque in its initial 
state. For each individual word w that comes from a 
confidential state qg E S © Qo, there is another word 
w’ from a non-confidential initial state qg E Qo — S, 
such that w and w’ are observationally similar. Thus, 
the intruder is unable to ascertain if the system 
originated from a confidential state qo or from a non- 
confidential state q’. Formally, ISO can be defined in 
the following Lemma. 


Lemma 5: The secret S is said initial-state 
opaque under Pz, iff: 
Ps (Lang(LG,S)) E Ps, (Lang (LG, Qo — S)) 


Example 7: We consider the LTS system LG as 
shown in Figure 4 and Q, = {qo qs}. If S = {qo}, 
then S is initial-state opaque. The set of word starting 
from qo is Lang(LG,S) = Lang(a(bac)*) U 
Lang (a(bac)*b) U Lang(a(bac)*bab). The set of 
the words starting from qs is Lang(LG,S) = 
Lang (ca(bac)*b) U Lang (ca(bac)*ba) U 
Lang (ca(bac)*baa). If S= {qs}, then S isn’t 
initial-state opaque. The outsider is convinced that 
the system is initiated by q5 and ending by qgwhen 
the discrete word abaa is executed. 


The efficient resolution of both CSO and ISO can 
be achieved in bounded Petri nets by utilizing a 
concise depiction of the reachability graph [15]. 


3) Initial-and-Final-State Opacity or IFO 
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IFO is a state property that is related to both 
system’s initial and final states [13]. This property 
defines secret states as a pair of states. 


Definition 16: The secret S is said initial-and- 
final state opaque under Ps, if: V(q;,q;) ES, 
and V w E Lang (LG, qj, qj), qq", 4") E (Qo X 
Q)-S, andiw'e€ Lang(LG,q'pq';); Pa, w) = 
Px, (w') 


The system is initial-and-final-state opaque if for 
every word w starting from q; and ending at qj, there 
exists another word w’ beginning from q'; and 
terminated at q'j such that w and w’ are the same 
observationally. Thus, the outsider is unable to 
ascertain the secrecy of the state couple. We propose 
another definition for this property in Lemma 6. 


Lemma 6: The secret S is said initial-and-final 
opaque under Pz, iff: 


Py, (u (40.4 JES Lang(LG, qo, ar)) 
E Pz, (U (aro,arpe(@oxa)-s Lang (LG, q'o q'f)) 


According to the previous Lemma, IFO is similar 
to strong language-based opacity where LangS = 
U cages Lang (LG, qo, qr) is the secret language and 


LangNS =U (aroa f)E(Q0XQ)-S Lang(LG,q'o,q'f) is 
the non-secret language. 


Example 8: We recall LG as shown in Figure 4 
and Qo = {qo, 45}. If S = {(qo, q5)}, then S is initial- 
and-final-state opaque. The outsider is never certain 
whether the word aba corresponding to the secret 
state pair (qo, q3). 


4) K-step opacity: 

It was initially presented in [4], and later in [7]. It 
allows for the verification of whether a system has a 
concealed state K that could be observed through past 
events. Two forms of this property are presented in 
[3] strong and weak. 


a) K-step weakly opacity 


Definition 17: The secret S is said K-weakly 
= under Ps if: Vw E Lang(LG,Qo),Vw, 3 
and |w,—-w|<K such that we 
Lang (LE, Qo, S) dv E Lang(LG, Qo), Y v Sv 
and |v v| <K ; Pz, 0) = = Pz, (w) > Ps (1) = 
Ps (w,) and v, E Lang(LG, Qo, Q — S) 


The system is K-weakly opaque if for every 
discrete word w where K longest of its prefixes lead 
to a secret state, there is another compatible discrete 
word where the K longest of its prefixes do not lead 
to a secret state. 


This definition is reformulated in [1], for every 
execution w and where w, is the prefix of w and the 
difference between the observable executions is less 
or equal to K, there is w’ and w’, executions have 
the same projection as w and w, where w’, is not a 
secret execution. In other words, we present the 
following Lemma. 


Lemma 7: The secret S is said K-weakly opaque 
under Ps, iff: Py (Lang(LG, Qo, S)) S 
Ps (Lang (LG, Qo, Q — S)) and Ps, (Lang; (LG, S)) 
E Py, (Lang, (LG, Q — S)) 


The K-weakly opacity is similar to language-base 
opaque where LangS = {w,w E 
Lang (LG, Qo), Vw, E Lang (LG, Qo, S); wı 3 
w and |w —w,| < K} is the secret language and 
LangNS = {w,w E Lang (LG, Qo), Vw, E 
Lang (LG, Qa Q — S); w; < wand |w—w,|< 
K} is the non-secret language. 


Example 9: Let LG as shown in Figure 4. If we 
consider that S = {q3,q,} and K=2, then S is K- 
weakly opaque. However, if K=3, then S is not K- 
weakly opaque because there is not observationally 
equivalent to the word cabaa. The outsider 
concludes where the system passes via the secret state 
q6- 

b) K-step strong opacity 


It acts as a detective, scrutinizing the system's 
recent history (the last K observable actions) to 
uncover any hidden visits to secret states. It ensures 
that even a cunning observer, armed with partial 
knowledge, can't definitively tell if the system dipped 
into the shadows of secrecy within this timeframe. 


Definition 18: The secret S is said K-strongly 
opaque under Pz if: V w € Lang (LG, Qo, 0), Jv € 
Lang(LG, Qo, 0); Ps,(v) = Pz, (w) Y v, x v with 
[vı v| < K and v, E Lang(LG, Qo, Q — S) 


A system boasts K-strong opacity if, for every 
possible behavior sequence, there's another identical- 
looking one (same "projection") that avoids secret 
states within the last K observed actions. This ensures 
even a watchful observer can't definitively tell if the 
system dipped into the shadows of secrecy recently. 
Definition 9 is formulated in Lemma 8. 


Lemma 8: The secret S is said K-strongly 
opaque under Pz, iff: Ps (Lang(LG,Qo,5)) E 
Ps (Lang (LG, Qo, Q — S)) and 
Px, (Lang, (LG, Qo, S)) E Px, (Lang(LG, Qo, S)) 


Example 10: Let LG be a LTS as shown in Figure 
4. If S={q3,q,} and K=1, then S is K-strongly 
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opaque. However, if K=2, then S is not K-strongly 
opaque because there is no word that does not pass 
through any secret. 


The property of K-step opacity is translated on 
trace-based K-step opacity (or trajectory) when the 
system has recently been in a specific state, in [14, 
20]. This property is defined as follows: for any given 
word w, there exists at least one discrete word that is 
observationally similar to w. Additionally, the states 
visited while generating the last K actions are 
exclusively non-secret states in w. The distinction 
between K-step opacity and trace-based K-step 
opacity is in the timing of when the system's state is 
revealed. Hence, if the system exhibits trace-based K- 
step opacity, it likewise demonstrates K-step weak 
opacity. The concept of K-step opacity has been 
expanded to include infinite-step opacity in the works 
cited [18, 20]. 


Definition 19: The secret S is said weakly 
infinite-step opaque under Ps if Vwe 
Lang (LG, Qo), ; Vw’ E Lang(LG, Qo, S), 
such thatw' $w , Iv €E Lang(LG,Qo) and 
dv’ € Lang(LG, Qo, Q — S); Pz, (V) = Pz, (w) and 
Ps, (v') = Ps, (w’). 


The system is infinite-step opaque if for every w, 
the outsider is unable to deduce that the system was 
previously in a concealed state. 


Lemma 9: The secret S is infinite-step opaque 
under Ps, iff: 
Ps, (Lang(LG, Qo, S)) E Ps, (Lang(LG, Qo, Q — S)) and 
Ps, (Lang*(LG, Qo, S)) S Ps, (Lang ”(LG, Qo, Q — S)) 


The weak infinite-step opacity is similar to 
language based opaque where LangS = {w,w E 
Lang (LG, Qo), Yw’ E Lang(LG, Qo, S) such that 


w' <w} is the secret language and LangNS = 


{w,w E Lang(LG, Qo), Vw’ E Lang(LG, Qo, Q — 
S) such that w’ < w} is the non-secret language. 


Definition 20: The secret S is strongly infinite- 
step opaque under the projection map Ps, if: Vw € 
Lang (LG, Qo), 4 v E Lang(LG, Qo) such thatPz (v) = 
Pz, (w) Y v' x vandv' E Lang(LG, Qo, Q — S) 


Lemma 10: The secret S is strongly infinite-step 
opaque under Pz, iff: Py (Lang(LG, Qo S)) & 
Pz, (Lang (LG, Qo, Q — S)) and 
Ps, (Lang ”(LG, Qo, S)) S Ps, (Lang(LG, Qo, S)) 

Example 11: Let LG be an LTS system as shown 


in Figure 4. If S = {q3, qe} and K=3 then S is not K- 
weakly opaque, then S is not infinite-step opaque. 


Those notions have strong connections between 
each other and the transformations relationships 
between them. 


6. TRANSFORMATION BETWEEN 
DIFFERENT NOTIONS OF OPACITY 


The opacity property can be reduced to varying 
degrees of transparency with a polynomial time 
complexity that is defined in [13]. The relationships 
are presented in Figure 5. 


K-step weak 
Opacity 


> | IFO |< 
a Le ay 


Figure 5: Transformation between notions of opacity 


6.1. Transformation between K-step weak 
opacity and CSO 


CSO is equal to K-step opacity where K = 0. Let 
LG be an LTS, Sx & Qis the secret states and K € 
N is a constant value. We consider that Sy is K-step 
weak opaque. From the K-step weak opacity, we 
determine S where S is the current secret states. 
Formally, S = {qs,Vw E Lang(LG, Qo) Jw, E 
Lang(LG, Qo, Sx) , w, < w, |Pz, (w1) — Ps,(w)| < 
K and last(w,) = q,} is the set of current secret 
states. Then, we determine the non-secret state NS = 
Q — S. To verify if Sx is K-step weak opaque, we 
check if every string that pass through by a secret 
state q E Sx has the same projection as a string that 
pass through by a non-secret state q' E NSx. If every 
string ending by qs E S there is a string ending by 
qns E NS having the same observability. This 
approach is identical to determining whether S is 
current-state opaque. 


6.2. Transformation from K-step weak opacity 
to LBO 


We consider that S, is K-step weak opaque. 
From the K-step weak opacity, we determine the 
secret language Ls = {w E Lang(LG, Qo) dw, E 
Lang (LG, Qo, Sk); Ww, 3 w, |Pz (w1) — Ps,(w)| < 
K}. Similarly, we determine the non-secret language 
Lys = {w E Lang (LG, Qo) dw, E Lang(LG, Qo) ; 
w 3 w, |Pz, (w1) — Pz, (w)| < K and w, ¢ 
Lang(LG, Qo, S)}. To verify if Sis K-step weak 
opaque, we check if every string that pass through by 
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a secret state q E Sg has the same projection as a 
string passing through by q’ € NSx, that is, if every 
word w E Ly has the same projection as a string w’ € 
Lys . This approach is identical to determining 
whether Ls; is language-based opaque. 


7. DISCRETE OPACITY WITH DYNAMIC 
PROJECTION 


In this section, we generalize the opacity 
approach by considering the notion of dynamic 
projections encoded by dynamic masks. Based on 
these assumptions, we define opacity under the 
dynamic projection as follows [2]. 


Definition 21: Let LG be a LTS and S x Q is 
secret states. The system S is opaque under DPr, if : 
Vu E Lang(LG), last([ulr,) ZS 
Where [u]7, represents the set of words 


observationally equivalent to u under the dynamic 
projection map DPr,. 


Example 12: Let LG be a LTS as shown in Figure 
4. If S = {q3} is secret and the dynamic projection 
map as follows: Tp(e) = {a}, Tp(ab) = {a} , 
Tp(aba) = {a,b} and Tp(u) = {a,b,c} otherwise, 
then S is opaque under DPy, . However, if the 
dynamic projection map as follows: Tp (ab) = {a, b} 
and Tp(u) = {a,b,c} otherwise, then S isn’t 
opaque. There is not observationally equivalence to 
the sequence aba. Therefore, the intruder can 
conclude that the system is in the secret state q3. 


The issue of verification opacity is exacerbated 
by using dynamic projection compared to static 
projection. Specifically, the verification opacity 
problem becomes PSPACE-complete. 

Dynamic projection is frequently employed to 
ensure opacity. The opacity is specified within the 
Orwellian projection map illustrated in the following 
section. 


8. DISCRETE OPACITY 
ORWELLIAN PROJECTION 


This section examines the opacity property in 
relation to the Orwellian projection in [39]. The 
observability of w under the Orwellian projection is 
determined by the observability of all actions that 
occur prior to each downgrading action. With more 
simplicity, each discrete word is partitioned in two 
parts D (w) and C(w, Lang) where D (w) represents 
the first part of w ending by the last downgrading 
action and C(w, Lang) is the continuation of D(w) 
and does not contain the downgrading actions. 
Formally, Vw E Lang,w = D(w).C(w, Lang) 
where D(w) © {e} U (Lang NX*E4) where Lang 


WITH 


is the prefix of Lang ending in downgrading action 
and C (w, Lang)= (È, U,,)* N Lang where Lang 
is a continuation of Lang. We extend D(w) to 
D(Lang) = {e} U (Lang NX*Xq). The following 
definition presents the opacity property under the 
Orwellian projection map. 


Definition 22: Let LG be a LTS and S a secret 
state. The secret is opaque under Pz 5, if Vue 
D(Lang(LG)), C(u,Lang(LG)) is opaque under 
Ps . 


o 


Example 12: Let LG be a LTS as shown in Figure 
4, 2o = {a} and Z4 = {b}. If S = {q3} then S isn’t 
opaque under Pz Za: 


9. TIMED OPACITY WITH 
PROJECTION 


The concept of opacity is expanded to temporal 
settings to explore the problem of language-based 
opacity [21]. Timed opacity is a fascinating extension 
of opacity that considers the measurement of time for 
an intruder, where the secret is a collection of specific 
locations. This characteristic guarantees that the 
system cannot definitively determine if this sequence 
is present in the secret or not. 


STATIC 


Definition 23: Let A be a timed automaton, },be 
a set of observable actions and S E L be secret 
actions. The secret S is timed opaque under TPs, if : 
Vu ETL;(A), 3 u, ETL,s(A) ;  TPs,(u) = 
TPs, (u) 


A system is considered timed opaque if, for every 
timed word u, there exists another timed word u,that 
has the same projection as u and leads to non-secret 
locations. Language-opacity is defined as the state of 
being opaque for a real-time automaton, as stated in 
[21, 32]. An alternative formulation of this definition 
can be stated as: 


Lemma 12: [32] The secret S is timed opaque 
under TPs if V u E TPs (TLs(A)), [Ulr, £ S 


Lemma 13: [17] Language-opacity 
TPs, (TL(A) A TLs) S TPs, (TL(A) — TLs) 


c.x=C 


a,x = 0, b,x=1 


Os = O) 


Figure 6: Example of TA in [32] 


Example 13: Let A be a TA shown in Figure 6 
where Ło = {b} and S = {l,}. Then, A isn’t opaque. 
The outsider is certain that the system in l} when he 
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observes the projection of word b that occur at time 1 
under TPy,. 


10. VERIFICATION AND DECIDABITY OF 
OPACITY 


The opacity property requires that a system has a 
hidden secret behavior from an intruder. This 
property is verified using different frameworks such 
that: 


e Labeled Petri Nets (LPN) is used to verify ISO in 
[15, 26], CSO in [16] and Language-based 
opacity in [31]. 


e Symbolic Observation Graph (SOG) is used to 
verify simple opacity in [38], K-step weak and 
strong opacity in [15]. 


e Labeled Transition System (LTS) is followed in 
several research such as [2,7,9,18,20,22]. The 
opacity properties are verified on the building of 
the observer automaton. 


To assess the opacity of these systems, it is 
essential to establish if a system is opaque in relation 
to a specific secret [11 13, 22, 24, 31]. Numerous 
studies have been conducted on the decidability of 
the property of opacity in DESs, as evidenced by the 
works in [4, 35]. For instance, the decidability of 
CSO, ICO, and language opacity in LTS has been 
demonstrated. ISO is decidable for bounded Petri 
nets in [4] and undecidable in Petri nets unbounded 
in [35]. The decidability and complexity results are 
synthesized, in [29], related to opacity problems for 
such discrete system model and projection map. 


Timed opacity is generally undecidable for timed 
automata and event recording automata used in real- 
time systems. The problem of determining timed 
opacity using non-deterministic Timed Automata is 
impossible to solve, but it can be solved with Event 
Recording Automata. The problem of language 
opacity and the problem of starting opacity are 
determinable for Real-Time Automata, as stated in 
reference [17]. 


11. COMPARISON WITH EXIST WORKS 


This section recapitulates the different definitions 
of opacity for both discrete and real-time systems. 
We present a comparative overview using Table 2. 
On one hand, the table shows established notions 


from previous research. On the other hand, it 
showcases the corresponding definitions based on 


our proposed lemma introduced earlier. 


Table 2: Executions with Orwellian projection 


Projection Opacity Existing Our 
properties works work 
Language (9, 11] 
s > Lemma 1 
Based Opacity | Definition 11 
Weakly [11] Lemma 2 
opaque Definition 12 
No Opacity [1 1] Lemma 3 
Definition 13 
Current-State [2,4,28,35] Lemmaad 
Opacity Definition 14 
Initial State [4,7,22] Lemmas 
Opacity Definition 15 
Initial-and- [13] 
. Final State Lemma 6 
Static Opaci Definition 16 
projection L Opacity | in 
K-step 
Weakly [1,3,4,7] Lemma 7 
Opaci Definition 17 
K-step 
Strongly [3:4:7] Lemma 8 
Opacity Definition 18 
Weakly 
Infinite Step [18,20] Lemma 9 
Opacity Definition 19 
Strongly 
Infinite Step [18,20] ri 
Opacity Definition 20 
Dynamic Opacity [2] - 
projection Definition 21 
Orela Opacity B 9] - 
projection Definition 22 
Timed Static : [21,32] Lemma 
projection Opacity Definition 23 12 


Note that the complexity of those notions of 
opacity remains the same complexity because the 
verification of each opacity property is based on the 
verification of inclusion problem. 


Figure 7 illustrates the relation between different 
publications addressing the opacity properties, 
described in Section 5. Each arrow, linking paper X 
to paper Y in the diagram, means that paper Y 
introduces a new notion of opacity based on obtained 
result in paper X. 
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[4] 
Modelling 


opacity using 
Petri nets 


[2] [9] 


Opacity 
enforcing 


Synthesis of 
opaque systems 
with static and 
dynamic masks 


[22] 
Supervisory 


Control for 
Opacity 


[33] 


Polynomial 
algorithms to 
check opacity 

in DES 


[19] 


Opacity enforcing 
supervisory stra- 


tegies via state 
estimator 


[18] 


Verification of 
ISO and 
complexity 


control synthesis 


[35] 
Opacity 
generalized 


to transition 
systems 


[10] 


Concurrent 
secrets 


[11] 


Opacity of DES 
and its applicatio 


[30,34] 


Verif. of ISO 
in security 
applications of 
DES 


[14] 
Verification 
of ISO and 


analysis of 
its complexity 


[28] 


Probabilistic 


[36] 


Using unification 
for opacity 
properties 


[21] [17] 


The Dark 
Side of Timed 
Opacity 


The Opacity 
of Real-time 
Automata 


[27] 


Notions of securit 
in discrete 
event systems 


[38] 


Monitoring and 
Supervisory 
Control for 

Opacity Prop. 


[3] 


Various Notionso 
Opacity Verified 
and Enforced 
at Runtime 


[1] 


Enforcement 
and validation of 
various notions 


current-state 
opacity is 
considerations undecidable 


of opacity 


Figure 7: Reference Graph Between Opacity Notions 


12. CONCLUSION 


This paper presented a unified framework for 
defining opacity properties applicable to both 
discrete and real-time systems. This framework 
addresses a key challenge in the field of opacity 
research - the difficulty of comparing and analyzing 
opacity properties across various system models and 
observation scenarios. By leveraging language 
inclusion problems as a foundation, the framework 
allows researchers to analyze opacity properties in a 
consistent manner, regardless of the underlying 
system type or observation setting. This not only 
simplifies analysis but also facilitates the 
identification of connections between existing 
opacity formalisms. Furthermore, the paper 
establishes a foundation for future research by 
compiling existing decidability results for these 
unified opacity concepts and outlining potential 


avenues for exploring verification methods under 
various conditions. 


In conclusion, this work offers a significant 
contribution to the field of opacity research. The 
proposed unified framework promotes a more 
comprehensive understanding of opacity properties 
in security systems. It empowers researchers to 
effectively compare different opacity concepts, 
paving the way for advancements in this crucial area 
of security analysis. It also opens exciting avenues for 
future exploration. 


Building upon this foundation, future work can 
delve into areas such as: 


e Extending the framework to incorporate 
additional opacity properties beyond those 
currently supported. 


seme ooo 
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e Developing automated verification techniques 
specifically tailored to the unified opacity 
framework. 


e Investigating the applicability of the framework 
to analyze opacity in even more complex system 
models, including distributed and hybrid 
systems. 


e Exploring the potential for leveraging the 
framework in practical security analysis tools for 
real-world systems. 


By pursuing these avenues, researchers can 
further refine and extend the power of the unified 
framework, leading to a deeper understanding of 
opacity and its role in securing complex systems. 
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